Flame C&C network linked to three unknown malwares

Analysis of Flame command & control platform shows existence of three other malicious programs, at least one may be in the wild

Kaspersky researchers say they have evidence that at least one unknown malware controlled by the same C&C network as Flame is still in the wild.

At least three malicious programs related to the Flame cyber-espionage tool went undiscovered, and at least one of the undiscovered malware is still active in the wild, according to Kaspersky Lab.

The security company said that research it has conducted in partnership with the International Telecommunication Union's cybersecurity executing arm, IMPACT, CERT-Bund/BSI and Symantec, proves the existence of three unknown malicious programs that were linked to the Flame command and control (C&C) server network.

The Flame malware, which comprised a complex set of tools for stealing data from infected PCs, was discovered in May this year. Infected PCs communicated with an equally complex C&C infrastructure, which used 80 known domain names, with servers hosting the Flame C&C infrastructure moved between multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom and Switzerland.

The C&C network used sophisticated encryption to protect data uploaded by infected machines, and analysis of the scripts used to handle data transmissions to the victims revealed four communication protocols, and only one of them was compatible with Flame. This is proof, Kaspersky said, that at least three other Flame-related malicious programs were created, although their nature is still unknown, and there is evidence to prove that at least one Flame-related malware is operating in the wild. Kaspersky added that there is no evidence that the Flame C&C infrastructure was used to control known malware such as Stuxnet or Gauss.

Further analysis of the C&C network has also shown that it was established earlier than previously thought, with development of the platform dating back to at least December 2006. The C&C platform was also still being developed, with evidence pointing to a communication scheme called ‘Red Protocol', which was mentioned but not yet implemented.

The C&C servers were also apparently disguised to look like an ordinary Content Management System, in order to avoid attention from the hosting provider.

"It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its Command and Control servers. Flame's creators are good at covering their tracks. But one mistake of the attackers helped us to discover more data that one server was intended to keep. Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale," commented Alexander Gostev, chief security expert, Kaspersky Lab.